An ISN(initial sequence number) bug?
Don Lewis
truckman at FreeBSD.org
Mon Aug 13 16:02:28 PDT 2007
On 13 Aug, Huang, Yusheng wrote:
> Hi,
>
>
>
> I think there is a bug in the tcp_isn_tick() function.
>
>
>
> 1477 static void
>
> 1478 tcp_isn_tick(xtp)
>
> 1479 void *xtp;
>
> 1480 {
>
> 1481 u_int32_t projected_offset;
>
> 1482
>
> 1483 INP_INFO_WLOCK(&tcbinfo);
>
> 1484 projected_offset = isn_offset_old + ISN_BYTES_PER_SECOND /
> 100;
>
> 1485
>
> 1486 if (projected_offset > isn_offset)
>
> 1487 isn_offset = projected_offset;
>
> 1488
>
> 1489 isn_offset_old = isn_offset;
>
> 1490 callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
>
> 1491 INP_INFO_WUNLOCK(&tcbinfo);
>
> 1492 }
>
>
>
> If isn_offset is close to the 4G boundary, the projected_offset is
> likely to overflow the 4G value so the unsigned comparison at line#1486
> will not be true and isn_offset will not be incremented by the
> tcp_isn_tick() for a very long long time.
I think the comparison should be done with the SEQ_GT() macro.
More information about the freebsd-net
mailing list